September 2010 - Posts

Research by Tufin Technologies has revealed that nearly a quarter of university students have successfully hacked into IT systems. Looks like data security professionals will have their work cut out for them in the future...

Stats: 28% Say IT System Hacking is Easy

There are some surprising numbers in the survey:

40% of successful hackers are over 18. This implies that 60% are under 18, meaning that they're probably incoming freshmen (the survey was restricted to university students).

84% know hacking is "wrong," 32% think is "cool." Well, no argument there, but look who I work for. Sidebar: were the respondents mostly engineering students or something?

28% found it easy to hack an IT system. This is actually pretty worrisome, and yet not so much, as you'll see.

22% did it out of curiosity.

15% did it for financial gain. I knew a guy in college who made fake IDs. Maybe ID theft is now the new fake-ID "gig" from years past.

Facebook accounts were the post popular system to be hacked, followed by e-mail accounts, and on-line shopping accounts.

Facebook? Honestly, what is there to hack? I guess supplying numerous passwords until something "clicks?" I mean, as far as I can tell, Facebook doesn't restrict access to an account after a set number of wrong tries (it asks you if you want to reset the password after the third wrong guess...but it allows you to try again and again. And again).

This is a different approach to security than what many sites (and products) offer. For example, our AlertBoot endpoint security software (disk encryption and file encryption) allows rate-limiting and account lock outs to be set up: the latter prevents the possibility of typing in a password after the nth try, locking out anyone who's attempting to gain access, while the former introduces a time-delay between password tries, so that a hacker's progress is limited: in one hour, he'd have tried no more than 10 passwords.

More worrisome is the 15% who did it for financial gain. Combine that stat with the fact that over 50% of the surveyed students did the hacking from other people's computers (only 39% use their own computers), and you've got a potentially big problem in your hands.

One of the key aspects of data security is to make a proper exit, such as logging out after using a computer that is protected with laptop encryption software or closing and locking a door. Call it the understatement of the century if you will, but it looks like it bears pointing out.

Man Uses Binoculars, Targets Open ATM Sessions

A man has been charged with multiple counts of identity theft. How did he go about it? Did he use a skimmer? Or perhaps glance over the shoulder of an ATM user? Or install a miniature camera?

No, no, and no. He used binoculars to watch people punch in their PINs, and when certain customers left their ATM sessions still open, he went in and used the PIN he just acquired. The story produces numerous questions:

How can binoculars be used to obtain someone's PIN? I mean, I'd imagine that my back would cover the number pad, be it on the countertop or in a screen in front of me. Did he only target rail-thin models and anorexics or what?

Why are certain ATMs designed so that you have to log out?

I've always had a beef with such ATMs. There are many types of ATMs out there. There are machines where you're supposed to swipe the card; others require you to insert the card. Of the latter, some spit out the card right after you enter the PIN, while others return the card before giving you the money, and still others only return the card as a last step, after you've collected your money.

Generally speaking, the last type of ATM is the type I like: getting the card as the last step means that I know I've been logged out of the ATM session when I receive the card. The one I personally dislike is where you swipe the card: the card never leaves your hand, but now you've got to remember to log off. If you're tired and in a hurry, sometimes you forget.

People sometimes forget to collect their card, sure; however, I personally have developed a routine where I always stuff the money into my wallet, check the presence of the card in the wallet, place the wallet in my front pocket (never the back pocket--easier for pickpockets), and then pat the outside of the pocket to make sure the wallet is really in there. I'm not sure why I do that last step, I just do it (perhaps to make sure I don't have a wallet-sized hole in my pocket? I dunno).

Thankfully, certain ATM-types that I dislike are designed to ask for the PIN again if you're going to proceed with a new transaction (which explains the man with the binoculars). Some ask you to swipe or feed the card again. There are others where all you have to do is hit "yes," which is the absolute worst when it comes to security.

Whose Responsibility is it?

The ATM users', no doubt. But then, there is something to be said about creating a proper user interface so that a lot of the burden (a minimal one, in this case) is lifted off the customers' shoulders if possible.

I mean, take laptop encryption and how you're required to log off after each session. It's common knowledge that laptop encryption--aka disk encryption, since it fully encrypts the laptop's internal hard disk--protects your data via the use of powerful encryption.

What's not so common knowledge is that laptop encryption only works when your computer is turned off, or if the hard disk is taken out of a computer and hooked up to another computer (kind of like connecting an external portable hard drive). If you are using your computer, encryption is currently not in place.

Makes sense, right? Encryption protects your data by making it unreadable. You're using your computer, so you must be able to see (read) what's going on. Hence, your data is not encrypted anymore.

(This is what's really going on: after the disk encryption software takes the correct password, the computer automatically decrypts the necessary information on-the-fly. Technically, your information is still encrypted; in practice, it doesn't really matter since the information is accessible as long as that computer is being used. In other words, encryption is not in place for all intents and purposes...although, from a technical perspective, it is.)

When using disk encryption, to ensure that no one gets to your data, you have to log off the computer after each session. If you leave it on for a couple of hours while you go visit clients, you don't have any security in place from a practical perspective. And, the software can't really log out for you.

Or can it? AlertBoot can be customized by a central administrator to log off users if the computer has been inactive for a set period. This is not as good as physically turning off a computer since there is always a window (say, 15 minutes) during which someone could hop on to your computer and stick in a USB flashdrive (actually, AlertBoot also features USB port control in order to prevent unauthorized USB memory sticks from being used, but still...logging off is always a better practice).

The point is this: there are a bunch of security features that are included in disk encryption to ensure that you're protected, but ultimately, protection is maximized if you a) keep your password secret and b) you log off after each computer session, two factors that can only be controlled by you, the user. Likewise with ATM machines.

On the other hand, disk encryption is very straight forward and no-nonsense: log in and log out/turn computer off. There's nothing else to it. You don't have to hit Ctrl+Shift+F1 before logging out, or do the chicken dance, or whatever.

Which is different from ATM machine operation, where, depending on the machine, you have a number of different ways of closing out your session, as I've already described before. Sure, it's your responsibility to make sure you've properly ended your interaction with the cash machine, but some of them are not exactly helpful in this respect.

A new study claims that malicious intent is behind 62% of all data losses: 29% is attributed to hackers and 33% is attributed to insiders. The rest, 38%, is unintentional in nature. With such figures, does it make sense to use data security tools like laptop encryption software from AlertBoot? You betcha

Preventing Data Breaches Due to Accidental Loss

Some are under the impression that data security tools will cover all possible data security ills. Consequently, they become disillusioned when they find out that this is not so. Indeed, sometimes they'll go as far as arriving to the conclusion that data security tools are unnecessary since they cannot prevent 100% of the breaches out there.

This is, of course, ridiculous. I mean, you're not safe when walking outside: something could fall on you, you could get mugged, an out of control car could smash right into you, etc. Are you going to give up walking outside because it's not 100% safe?

Likewise with encryption: sure, they're useless if the data breach is perpetrated by an insider, so it cannot protect you and your company from a data breach 100% of the time. But consider the numbers: To start off with, it can prevent a good part of the "38% unintentional" data breaches out there.

Whether it's a lost or stolen laptop, external hard drive, desktop, USB memory device, CD or DVD, encryption software does a great job of ensuring unauthorized people from gaining access to information.

Preventing Insider Data Breaches

Furthermore, encryption can also be effective against insider data breaches as well, despite what I noted above. Remember, unauthorized people and insiders are not the one and the same. One could very well be an insider and still be unauthorized from accessing certain data, and be prevented from doing so.

For example, maybe you've got the VP of sales who's on the outs with the CEO. That veep is going to get fired, and he knows it. So, he decides to steal some company information.

Now, if the company doesn't make use of encryption, it would be just a matter of sticking a USB drive into the CEO's computer (well, assume doors are not locked) after booting it up.

However, if computer encryption is used, then the filching of data becomes much harder, if not impossible. And remember, anyone can be a data thief: the veep, the guy in middle management, your IT guy, the custodian...not all of these guys can be prevented from accessing data (for example, maybe you exchanged password with someone), but a good number of them can.

All residents who were at Cooper University Hospital for 2008/2009 and 2009/2010 are being alerted to the breach of their personal information. A USB flashdrive went missing only hours after a database was copied to the device. It hasn't been mentioned whether full hard disk encryption was used to protect the contents of the drive.

There is A LOT of Data in that USB Disk

While it hasn't been specified how many people are affected, one thing is for sure: those who are affected have justifiable grounds for tossing and turning at night. According to the notification letter sent by Cooper University Hospital, the following information was saved to the missing USB flashdrive:

USB Encryption: Reliable Protection

This is the sort of information you don't want falling into the wrong hands. And it wouldn't have if disk encryption had been used.

Had it? Cooper University Hospital, on account of being a hospital, is bound to the security and privacy rules founder under HIPAA. Unfortunately for the residents, HIPAA was actually designed to protect patient information, not doctors' information.

On the other hand, the hospital probably has an extensive policy of using encryption software because of their patients. It would have been just a little hop, skip, and jump away to apply the same to doctors' information.

Why this focus on encryption? Because it's pretty much the only type of data security program that can protect information after it has been stolen. Think about it. If the USB disk was protected by a locked door and a locked desk drawer, data is at risk if both of these locks are picked. With encryption, the protection is part of the data.

Furthermore, if encryption from AlertBoot had been used, it would be pretty much guaranteed that the information on the lost USB drive couldn't be accessed: because of AlertBoot's design, an encrypted USB disk is usable within a group of assigned computers.

If the thief plugs it into his own computer, the USB disk would show up as unformatted, and there would be no way for him to read the data.

In the real world, the strength of your laptop encryption doesn't matter: hackers assume it's very strong (and they usually wouldn't be wrong in making this assumption) and attack the system in some other way. While it isn't anyone's first choice of attack, attempts at guessing the password that unlocks access to encrypted systems is a time-honored and frequently used one.

Having a strong password matters. Certainly, there are many ways of gaining access to systems, including the use of malware to grab passwords, which renders moot the use of a strong password. On the other hand, it's hard to find any security professionals recommending the use of weak passwords. For example, if your password is "password," an often used password, you'll get an earful from any security expert.

So what is a strong password? That's actually a hard question to answer. It might be easier to answer "what is a weak password?" and then use the opposite of that as a definition of a strong password.

What are Weak Passwords?

Weak passwords refer to any passwords that can be easily guessed, either because it's so personal to a person or because it hardly takes any time to find it via the brute-force method, where a hacker (here, a hacker being anyone who's intent on finding your password, be they a criminal in Belarus or your nosey kids) runs through all possible password options.

For example, if your password is "aa" and the hacker starts with "a," it will take him possibly 37 tries before finding it: a through z (26 tries); 0 through 9 (10 tries); plus "aa." Compare that to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa," which will take a while to reach using the same logic. In this sense, the longer the password, the more secure it is.

However, this is not always true. Because people tend to choose information that is personal to them as passwords, if your kids' names are Michael or Estelle, these are less secure than an unrelated, shorter name such as Amy: Hackers will exploit the "personal" aspect and try out Michael or Estelle before trying something else. This is the reason why dates of birth are discouraged as passwords: of 366 options, you'll probably choose your own, your kids', or your spouse's.

Generally, the more information a hacker has about you, the greater the chances, on average, of figuring out your password, which is why publicizing your mother's maiden name; significant dates (birth dates, wedding dates, etc); pet names; etc. on the internet is discouraged.

Another way that hackers curtail their potential pool of passwords is by using a dictionary. Because people tend to use real words--correctly spelled, of course--a hacker's job is simplified by using a dictionary. How is it simplified? Well, the English language consists of approximately 750,000 words, including the stuff that no one would normally use. In comparison, over 8 trillion non-words can be created using the alphabet alone, assuming the password is seven characters long. (The figure doesn't include the 6-character long, 5-character long, etc. passwords that a hacker would conceivably have to go through if he starts from "a.")

But, there is a caveat to this non-dictionary rule as well: if you happen to love the string of characters @A1$Ad*((nssafSAD so that it's engraved into your laptop cover, printed on your t-shirt, used to personalize your pencils, etc., it falls into that "personal aspect" category that makes it ineligible as a strong password.

So, in summary, a weak password is something that is:

Short

Found in a dictionary or other list

Personal to you (and made public somehow)

A strong password can supposedly be created by avoiding the above. In theory, it's not that easy.

The Trappings of a Strong Password

As many experts point out, the problem with using the above rules is that passwords will be so confusing that one may not be able to memorize it. Is #@FWFfs!@123 something you could remember easily? (Technically, that 123 at the end is a no-no for the virtue of being 123, a common string of numbers used in passwords.)

And even if you could, you might find yourself having to memorize a new one every three or six months. This requirement would be easier if your password was more personal, but we've established why that's a bad idea.

Pushed to its extreme, strong passwords can become a security liability because a significant number of people will end up writing the password down to reference it. And why wouldn't they? After all, that's what some people do with their encryption keys: they write it down and place it in a bank vault.

The reason? They're so long and complex that the keys cannot be memorized--which is why they can ensure data security to begin with. Of course, IT administrators that follow this procedure can afford to do so because they'll have to reference that encryption key once in a blue moon, if ever. If they had to pull out those encryption keys and reference them on a daily basis, it would be a very weak link in their data security chain.

So what to do? Well, there are certain tricks that can be used to create a strong password that is also memorable. They're less secure, in a sense, than completely random passwords, but much stronger than the usual passwords found out there (such as dictionary words combined with 123 at the end of the word: password1, for example).

Use a phrase, not a word, and enter certain symbols in between the words in the phrase. For example, take "this is my pencil" and create the password this@is*my&pencil.

Use a longer phrase and take the first letters of each word to create a password. See how here.

Combine unrelated words and numbers. For example, your birth date, "kimchi," and John Travolta's birth date would result in: 01011960kimchi02181854.

That's a long password, and if you forget Travolta's birth date, you can always look it up. Plus, it's a pretty random password. What do you, kimchi, and Travolta have in common? I'm guessing nothing. Of course, if there is a commonality, you want to pick some other word or some other number.

Again, this password is not as secure as completely random one. However, it's good enough if combined with other data security measures. For example, in AlertBoot endpoint encryption, you can set a maximum number of tries before rate limiting kicks in:

What's a rate limit? That's when you limit how often you can enter a password when the previous attempt was a wrong one. For example, for the first three wrong attempts, perhaps the encryption software instantaneously checks the password to see if it's valid. But, the fourth attempt is delayed by two seconds, the fifth by 5 seconds, the sixth by 10 seconds, the seventh by 20 seconds, and so on. Soon enough, you can only enter a password per minute, dashing any hopes of guessing the correct password any time soon.

Combine a non-weak password with the above, and you've handicapped people from accessing your data.

A money management firm in Guam has announced a data breach. A thief broke into their premises and stole a number of items which included an external hard drive with client information. The use of hard drive encryption software like AlertBoot was not mentioned. I assume it wasn't used, seeing how the firm didn't even have a security alarm system.

Affects All Clients

The hard drive that was stolen stored information for all clients to Advisors Unlimited, a firm with approximately 1,000 clients and $25 million under their management. Sensitive information includes "names, dates of birth, addresses, SSNs, driver's license numbers, bank account information, and credit card numbers -- in some cases."

The burglary happened on the evening of September 11, and has been described as an "indirect entry" by the firm's president. The Guam police noted that "the burglar or burglars gained access to the office through an adjacent business by climbing over a wall that separates the two businesses," according to guampdn.com. Their article news article also has a photograph.

For those who don't quite understand how the burglar made their way into their office, the picture paints a thousand words: the thief pushed up the ceiling board on the side of the adjacent business, got into the vacant space where your HVAC and other wiring is placed, removed the ceiling board for Advisors Unlimited, and scurried down.

It's like getting into a caged area at a data center that uses raised floors, but instead of going over, you go under, managing the floor tiles as necessary.

We know that Advisors Unlimited didn't have a security alarm system because of this:

"We are now going to have a security alarm system in place," [Advisors Ulimited's President Frank ]Salas said. He added that the company never had one because there weren't any back entrances to the building and the only entrance faces the road in front of the Julale Shopping Center. "We never thought this would happen."[guampdn.com]

Man, that island life must be pretty idyllic; I'm not even being sarcastic here. I'm actually jealous that this man lives in an environment where theft is not even considered. Well, until it happens, that is.

Which brings me to the alarm system. I'm not sure that an intruder alarm system would have worked to prevent anything under the circumstances. I imagine that if a system had been set up, it would have been set up to catch people breaking in from the outside, with the environment being so safe and all. What Advisors Unlimited has in this situation is people breaking in from the inside, if that makes sense. I realize that intruder detection systems can also include motion sensors pointed towards the center of a room, but these are usually extra. You don't sign up for it if you don't see a need for it.

The same goes for the use of data encryption programs, except, of course, there is less room for error. Take, for example, whole disk encryption: since all the contents of a hard drive are encrypted, you won't have problem where some important files are protected and other important files are not.

On the other hand, it also suffers from the same problem of "you don't use it if you don't see a need for it." It would be nice to hear a commitment from Advisors Unlimited on the use of encryption, just like they did for the alarm system.